CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC)

JFrog Security Research published a full working-exploit walkthrough on 2026-06-25 for DirtyClone, the latest residual variant of the DirtyFrag family (JFrog Security Research, 2026-06-25). The flaw lives in __pskb_copy_fclone(), which fails to preserve the SKBFL_SHARED_FRAG safety flag when cloning a socket buffer; the cloned buffer, still referencing shared file-backed page-cache memory, is then passed through the XFRM/IPsec in-place decryption path, letting attacker-controlled bytes land in the cached image of a setuid binary such as /usr/bin/su (Red Hat, 2026-06-23). Earlier DirtyFrag fixes (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) do not close this code path; the fix is mainline commit 48f6a5356a33 (Linux v7.1-rc5, merged 2026-05-21), and most distributions had not yet shipped patched kernels at disclosure. The attack leaves no kernel-log or audit-trail artefacts.